Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android 7.0 Packs Re-Architected Mediaserver, Other Security Enhancements

Google has re-architected the Mediaserver component in Android 7.0 Nougat and included other security enhancements in the new platform release.

Google has re-architected the Mediaserver component in Android 7.0 Nougat and included other security enhancements in the new platform release.

Android Nougat was released on Aug. 22, but Google decided to provide detail on the security enhancements on Sept. 6. In addition to the re-architected Mediaserver, other ehnacements include a new Direct Boot mode, hardened media stack, strict enforcement of verified boot with error correction, and a reduced attack surface and better memory protection via updates to the Linux kernel.

Courtesy of the newly introduced Direct Boot, users no longer need to enter their PIN/pattern/password to have access to the phone’s main features, such as the phone app and alarm clock during the boot process. Android 7.0 also comes with file-based encryption, designed to deliver an improved user experience, as the system storage area and each user profile storage areas are encrypted separately.

Android Smartphone “Unlike with full-disk encryption, where all data was encrypted as a single unit, per-profile-based encryption enables the system to reboot normally into a functional state using just device keys. Essential apps can opt-in to run in a limited state after reboot, and when you enter your lock screen credential, these apps then get access your user data to provide full functionality,” Xiaowen Xin, Android Security Team, explains.

File-based encryption, Google says, can better isolate and protect individual users and profiles on the device. A unique key is used to encrypt each profile and only the user’s PIN or password can unlock that profile, Google explains. The new platform also requires that new capable Android devices pack trusted hardware, such as the ARM TrustZone, which is used to store security keys.

After Stagefright made headlines last year, Google has been patching Critical vulnerabilities in Android’s Mediaserver almost every month, and the company decided to harden and re-architect the component to improve security. For that, the company has introduced integer overflow sanitization to “prevent an entire class of vulnerabilities, which comprise the majority of reported libstagefright bugs.” Now, the process is stopped as soon as an integer overflow is detected.

Additionally, the media stack has been modularized, “to put different components into individual sandboxes and tightened the privileges of each sandbox to have the minimum privileges required to perform its job.” Due to this containment technique, attackers able to compromise parts of the stack will have access to significantly fewer permissions and significantly reduced exposed kernel attack surface.

According to Xin, numerous other protections were also added to the platform, including:

Verified Boot: Verified Boot is now strictly enforced to prevent compromised devices from booting; it supports error correction to improve reliability against non-malicious data corruption.

Advertisement. Scroll to continue reading.

• SELinux: Updated SELinux configuration and increased Seccomp coverage further locks down the application sandbox and reduces attack surface. Library load order randomization and improved ASLR: Increased randomness makes some code-reuse attacks less reliable.

• Kernel hardening: Added additional memory protection for newer kernels by marking portions of kernel memory as read-only, restricting kernel access to userspace addresses, and further reducing the existing attack surface.

• APK signature scheme v2: Introduced a whole-file signature scheme that improves verification speed and strengthens integrity guarantees.

In the new Android release, apps are protected from accidental regressions to cleartext traffic, and trusted certificate authorities are being handled in a different manner. Last year, Google launched an Android security rewards program, and decided to increase the maximum payouts that developers can receive for critical vulnerabilities to up to $50,000 for flaws in TrustZone or Verified Boot.

Specifically, applications targeting API Level 24+ will no longer trust by default user-installed certificate authorities and those installed through Device Admin APIs. Moreover, “all new Android devices must ship with the same trusted CA store,” Xin notes.

In Android 7.0, apps looking to share data with other apps now must explicitly opt-in. Moreover, developers can more easily configure network security policy through a declarative configuration file, which includes blocking cleartext traffic, configuring the set of trusted CAs and certificates, and setting up a separate debug con

App permissions and capabilities were also refined to increase protection. For example, Google has further restricted and removed access to persistent device identifiers such as MAC addresses, while user interface overlays can no longer be displayed on top of permissions dialogs, which should prevent apps from performing “clickjacking” attacks.

“We’ve reduced the power of device admin applications so they can no longer change your lockscreen if you have a lockscreen set, and device admin will no longer be notified of impending disable via onDisableRequested(). These were tactics used by some ransomware to gain control of a device,” Xin explains.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.